public interface Authentication extends Principal, Serializable
Once the request has been authenticated, the Authentication will usually be stored in a thread-local
SecurityContext managed by the
SecurityContextHolder by the authentication mechanism which is
being used. An explicit authentication can be achieved, without using one of Spring Security's authentication
mechanisms, by creating an Authentication instance and using the code:
SecurityContextHolder.getContext().setAuthentication(anAuthentication);Note that unless the Authentication has the authenticated property set to true, it will still be authenticated by any security interceptor (for method or web invocations) which encounters it.
In most cases, the framework transparently takes care of managing the security context and authentication objects for you.
|Modifier and Type||Method and Description|
Set by an
The credentials that prove the principal is correct.
Stores additional details about the authentication request.
The identity of the principal being authenticated.
Used to indicate to
Collection<? extends GrantedAuthority> getAuthorities()
AuthenticationManagerto indicate the authorities that the principal has been granted. Note that classes should not rely on this value as being valid unless it has been set by a trusted
Implementations should ensure that modifications to the returned collection array do not affect the state of the Authentication object, or use an unmodifiable instance.
AuthenticationManager. Callers are expected to populate the credentials.
nullif not used
The AuthenticationManager implementation will often return an Authentication containing
richer information as the principal for use by the application. Many of the authentication providers will
UserDetails object as the principal.
Principalbeing authenticated or the authenticated principal after authentication.
AbstractSecurityInterceptorwhether it should present the authentication token to the
AuthenticationManager. Typically an
AuthenticationManager(or, more often, one of its
AuthenticationProviders) will return an immutable authentication token after successful authentication, in which case that token can safely return
trueto this method. Returning
truewill improve performance, as calling the
AuthenticationManagerfor every request will no longer be necessary.
For security reasons, implementations of this interface should be very careful about returning
true from this method unless they are either immutable, or have some way of ensuring the properties
have not been changed since original creation.
AbstractSecurityInterceptordoes not need to present the token to the
AuthenticationManageragain for re-authentication.
void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException
isAuthenticated()for a full description.
Implementations should always allow this method to be called with a
as this is used by various classes to specify the authentication token should not be trusted.
If an implementation wishes to reject an invocation with a
true parameter (which would indicate
the authentication token is trusted - a potential security risk) the implementation should throw an
trueif the token should be trusted (which may result in an exception) or
falseif the token should not be trusted
IllegalArgumentException- if an attempt to make the authentication token trusted (by passing
trueas the argument) is rejected due to the implementation being immutable or implementing its own alternative approach to